Welcome back Ramnit – Anti-detection rootkit back in action

Ramnit is the name of a rootkit family, which is composed of a sophisticated virus-mutated rootkit, which tends to infect files with polymorphic code and then locks them to disk (some versions lock to disk).

“It looks like the troubleshooting module has become a common feature in recently developed botnets. The malware authors are analyzing the error reports and making the botnet component more stable,” Liu said.

A new payload module, Liu said, is called Antivirus Trusted Module v1.0; Ramnit kills all antivirus processes through this module, though only AVG AntiVirus 2013 has been moved into the module to date, Liu said.